-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.10
-
Fix Version/s: 10.10-HF49, 11.x, 2021.6
-
Component/s: Core
-
Release Notes Summary:DocumentModelResolver computes the Document entity only if the Read permission is granted.
-
Tags:
-
Backlog priority:650
-
Sprint:nxplatform #36, nxplatform #37, nxplatform #38
-
Story Points:0
When a metadata references a Document, DocumentModelResolver tries to fetch the documentModel.
There is a first test with AbstractSession#exists which checks the BROWSE permission. And then it tries to read the documentModel with AbstractSession#getDocument which checks the READ permission.
1st problem: if one has Browse permission but not Read permission, it will throw an exception
org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'xxx' at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:222) ~[nuxeo-core-10.10-HF36.jar:?] at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:960) ~[nuxeo-core-10.10-HF36.jar:?] at org.nuxeo.ecm.core.model.DocumentModelResolver.lambda$fetch$1(DocumentModelResolver.java:193) ~[nuxeo-core-10.10-HF36.jar:?] at org.nuxeo.ecm.core.model.DocumentModelResolver.resolve(DocumentModelResolver.java:257) ~[nuxeo-core-10.10-HF36.jar:?] at org.nuxeo.ecm.core.model.DocumentModelResolver.fetch(DocumentModelResolver.java:191) ~[nuxeo-core-10.10-HF36.jar:?] at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.fetchProperty(DocumentPropertyJsonWriter.java:170) ~[nuxeo-core-io-10.10-HF36.jar:?] at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.writeListProperty
2nd problem: in the case where the user does not have Browse or Read permission, the DocumentModelResolver#fetch method should return the document ref.
